The chief executive of TalkTalk, Dido Harding, has told MPs that she alone is responsible for cyber security at the company, but that the operator does not yet know if the major hack it experienced in October was avoidable.
The hack led to the personal details of more than 156,000 people being accessed by hackers and the company estimating £35m in losses related to the incident.
Speaking to the Culture, Media and Sport Committee yesterday Harding said: "Cyber security is a board level issue, and I am responsible for it."
She said there was no specific line manager for cyber security as the responsibility cuts across multiple roles in the company.
Asked if that meant sanctions ought to be imposed at board level, she replied that would depend if the loss of data was avoidable or not. "At this stage we just don't know."
However, Harding failed to mention that just before the hack the company had been advertising for an information security officer.
"Clearly there is a lot more we can and will do going forward. But we are far from alone in having cyber attacks," she told MPs.
She said the company had wanted to inform customers of the breach sooner, but had been advised by police not to do so. "One of the most difficult periods was the first 36 hours of the attack," she said. The company had received a ransom demand and had informed the police. "The next day it was very clear there was a real risk material number of customers data stolen."
She said: "I was clear by lunchtime [the next day] that the sensible thing to do to warn customers, that would make them safer. For understandable reasons, advice received from the police was not to warn our customers."
She said that it had been a reasonable position for cops to take as the police's priority was to catch the criminals.
She said that the incident had been the first specific breach of TalkTalk's systems. Previous incidents where customers details had been compromised were due to third-party attacks, she told MPs.
Harding also addressed the subject of customer card encryption, which she had previously claimed the company was under no legal obligation to use. She said: "There’s a temptation for people to think that encryption is a kind of silver bullet, that if you encrypt everything it will be OK. For some sorts of data [it's] not a high enough format.
"One of the reasons that none of customers' credit card details were sold in a usable form was because they were not encrypted, they were tokenised. Which means you block out completely the six digits in the middle of the credit card."
Earlier in the hearing, Harding had claimed: "What the criminals effectively did was successfully find a needle in a haystack of haystacks."®